CVE-2022-42915: HTTP proxy double-free

This is a finding that Trail of Bits found in their ongoing curl security audit. Reported at a status meeting today. ## Summary: curl frees memory twice in some cleanup function related to HTTP proxies. It as simple as `curl -x http://localhost:80 dict://127.0.0.1` Using valgrind on the current git master, it shows: ==55921== Memcheck, a memory error detector ==55921== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==55921== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==55921== Command: ./src/curl -x http://localhost:80 dict://127.0.0.1 ==55921== Parent PID: 3035 ==55921== ==55921== Invalid free() / delete / delete[] / realloc() ==55921== at 0x484617B: free (vg_replace_malloc.c:872) ==55921== by 0x152464: curl_dbg_free (memdebug.c:297) ==55921== by 0x17E11C: Curl_free_request_state (url.c:2259) ==55921== by 0x179B38: Curl_close (url.c:421) ==55921== by 0x1482DD: curl_easy_cleanup (easy.c:799) ==55921== by 0x1359F4: post_per_transfer (tool_operate.c:657) ==55921== by 0x13D085: serial_transfers (tool_operate.c:2431) ==55921== by 0x13D5FC: run_all_transfers (tool_operate.c:2617) ==55921== by 0x13D972: operate (tool_operate.c:2729) ==55921== by 0x13427C: main (tool_main.c:276) ==55921== Address 0x5b1c790 is 0 bytes inside a block of size 984 free'd ==55921== at 0x484617B: free (vg_replace_malloc.c:872) ==55921== by 0x152464: curl_dbg_free (memdebug.c:297) ==55921== by 0x17AE5E: conn_free (url.c:810) ==55921== by 0x17B132: Curl_disconnect (url.c:893) ==55921== by 0x15D523: multi_runsingle (multi.c:2614) ==55921== by 0x15D7B6: curl_multi_perform (multi.c:2683) ==55921== by 0x147FFB: easy_transfer (easy.c:663) ==55921== by 0x14822C: easy_perform (easy.c:753) ==55921== by 0x148276: curl_easy_perform (easy.c:772) ==55921== by 0x13D064: serial_transfers (tool_operate.c:2429) ==55921== by 0x13D5FC: run_all_transfers (tool_operate.c:2617) ==55921== by 0x13D972: operate (tool_operate.c:2729) ==55921== Block was alloc'd at ==55921== at 0x48485EF: calloc (vg_replace_malloc.c:1328) ==55921== by 0x1521A6: curl_dbg_calloc (memdebug.c:175) ==55921== by 0x1BEC8F: connect_init (http_proxy.c:174) ==55921== by 0x1C02C2: Curl_proxyCONNECT (http_proxy.c:1061) ==55921== by 0x1BEA43: Curl_proxy_connect (http_proxy.c:118) ==55921== by 0x1B67D4: Curl_http_connect (http.c:1551) ==55921== by 0x15C03A: multi_runsingle (multi.c:2027) ==55921== by 0x15D7B6: curl_multi_perform (multi.c:2683) ==55921== by 0x147FFB: easy_transfer (easy.c:663) ==55921== by 0x14822C: easy_perform (easy.c:753) ==55921== by 0x148276: curl_easy_perform (easy.c:772) ==55921== by 0x13D064: serial_transfers (tool_operate.c:2429) ==55921== ==55921== ==55921== HEAP SUMMARY: ==55921== in use at exit: 0 bytes in 0 blocks ==55921== total heap usage: 4,712 allocs, 4,713 frees, 893,816 bytes allocated ==55921== ==55921== All heap blocks were freed -- no leaks are possible ==55921== ==55921== For lists of detected and suppressed errors, rerun with: -s ==55921== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ## Impact Double-free is nasty